OIDC Federated Authentication

OIDC Federated Authentication

OpenID Connect (OIDC) is a simple identity layer built on top of the OAuth 2.0 protocol. It enables clients to verify the identity of an end-user based on the authentication performed by an authorization server or identity provider (IdP) and obtains basic profile information of an end-user in an interoperable REST-like manner.

OpenID Connect allows one or more relying parties (RP) or clients to delegate user authentication to an OpenID Provider (OP) or authentication servers. The OpenID Provider authenticates users and provides claims to relying parties. These claims are user attributes such as first and last name, email address, and department. As a result, relying parties are freed from the need to run a login process, and users have fewer credentials to manage.

OIDC implements authentication as an extension of OAuth 2.0 protocol, it provides information about the end-user in the form of id_tokens. The id_token is a signed data structure that contains authenticated user attributes that are encoded as a JSON Web Token (JWT). In addition to identifying the end-user, or subject, the id_token also identifies the token issuer and client application to which the token was issued.

OIDC Key Features:
  • Simple to integrate with applications.
  • Works harmoniously with a wide variety of applications
  • Offers features and security options that meet enterprise requirements.
  • Uses JWTs for portability and support for a range of signature and encryption algorithms

OIDC Implementation in UAA

OIDC implementation in UAA facilitates the users by reducing the number of passwords and other credentials that they have to manage during the authentication process. You can configure UAA as an Open ID Identity Provider or Identity Provider to authenticate with another instance of UAA.

The following diagram shows the OIDC flow in UAA.

In this flow:
  1. The Client (Relying Party) sends a request to the UAA or any configured External OpenID Identity Provider.
    Note: In the above flow, we have shown UAA as the OpenID Identity Provider, you can also configure other external identity providers such as Google or your Company SSO.
  2. The UAA authenticates the end-user and obtains authorization. User logs in using a web browsers and enters login credentials for authentication.
  3. UAA returns an ID Token and an Access Token. The AuthN response is a redirect to the client application (if configured).
  4. The client sends a request with the Access Token to the user info endpoint in UAA.
  5. UAA returns claims (data) about the end-user.

Relying Party (Client Information)

The relying party or the client is usually your web or mobile application. You must secure the following Client information for OIDC configuration.

FieldsValues
Client IDoidc_client_id

OAuth 2.0 Client Identifier valid at the Authorization Server (OpendID Providers).

Client Secretoidc_client_secret

OAuth 2.0 Client Identifier secret.

Authorized Grant Typesauthorization_code

When you use the authorization code grant type, the client directs the resource owner to UAA, which in turn directs the resource owner back to the client with the authorization code.

Redirect URIThe URL to which a user is redirected to after logging in at the OpenID Provider. requires unauthenticated access.https://*.<Identity Provider UAA base url>/login/callback/*
ScopesInclude the openid scope in your client application.
AuthoritiesInclude the openid authority in your client application.

OIDC Federated Authentication Scenarios Supported in UAA

You can configure OIDC federated authentication using the UAA dashboard for the following scenarios :
  • UAA to UAA OIDC Federated Authentication
  • UAA to Company SSO Authentication
  • UAA to Trusted External Identity Provider Authentication
The following diagram shows the UAA SP to IdP flow for the Admin user:
In this flow the Admin:
  1. Creates external identity provider clients for OIDC federated authentication.
  2. Logs-in to the UAA dashboard.
  3. Creates UAA service provider for external identity providers.
  4. Creates IdP objects to represent the external identity providers.
The following diagram shows the UAA SP to External IdP flow for the End user:
  1. User attempts to login to the web application and is directed to UAA service provider.
  2. UAA service provider redirects the user to external identity providers for authentication.
  3. User logs in to the External identity and enter the IdP login credentials. The external identity providers perform authentication and sends the user authorization and authentication data back to the UAA service provider. UAA generates access and id tokens based on user authentication. 
  4. User is redirected to the client application after the authentication is completed.

UAA to UAA OIDC Federated Authentication – You can configure OIDC federated authentication between two instances of UAA, and designate one as the identity provider (IdP) and the other as the service provider (SP) to allow the UAA service provider users to redirect to UAA identity provider for authentication. UAA (SP) instance acts as the server that receives the authentication and authorization data while the UAA (IdP) acts as the server that receives the authentication request, performs user authentication, and sends the authentication and authorization data back to the SP. See uaas-oidc-federated-authentication.html#task_qw1_d1s_ycb for details on configuring UAA as a Service Provider.

UAA to Company SSO Authentication – You can configure your Company's SSO as the OIDC identity provider and UAA as the service provider to allow the users from your company to redirect to Company's SSO identity provider for authentication. When UAA is configured with Company SSO IdP, users can log in using their Company SSO credentials. The UAA (SP) must be set up with openidand any other scopes specific to your Company's SSO configuration that when UAA exchanges the authorization code for Company SSO token, the token includes required attributes for user authentication. You must set up your Company SSO as the allowed provider for your IdP client. See uaas-oidc-federated-authentication.html#task_hyh_qcq_vcb
Note: Consult with your Company SSO administrator or refer to any Company SSO related documentation to include the required scopes.

UAA to Trusted External Identity Provider – You can also configure an OIDC compliant external identity provider such as Google to perform user authentication with UAA as the service provider (SP) to allow the users to redirect to the external identity provider for authentication. When Google is set up as an external OIDC federated identity provider, users can log in using their Google account credentials. UAA (SP) must be set up with the required openid and email scopes so that when UAA exchanges the authorization code for Google IdP token, the token includes required attributes for user authentication. You must set up your Google IdP client before configuring UAA as the service provider for OIDC federated authentication. See uaas-oidc-federated-authentication.html#task_vss_53t_ycb

Configuring UAA as a Service Provider for OIDC Federated Authentication

About This Task
You can configure UAA as a service provider for an external identity provider such as Company SSO or Google. You can also configure UAA as a service provider for another UAA instance that you may want to set up as your identity provider.
Before You Begin
  • Create your external identity providers and secure the required client information for authentication. If you are configuring OIDC federated authentication between two instances of UAA, see uaas-oidc-federated-authentication.html#task_gw4_5hc_4cb.
  • Log In to Predix.io and go to the Console view.
  • Create or select a UAA instance that you want to configure as your identity provider.

The Client Management form represents your Client application, you can use the information in the Client Management form to verify your Redirect URIs or other client specific information.

Procedure
  1. Navigate to the Client Management tab in the same UAA instance and click on Create Client information.
    Ensure the following information is added to the Create Client form.
    FieldsDescriptions
    Client IDSpecify a name for the OAuth2 client you are creating.
    Authorized Grant Typesauthorization_code

    When you use the authorization code grant type, the client directs the resource owner to UAA, which in turn directs the resource owner back to the client with the authorization code.

    Client SecretSpecify the password. It is important that you keep a note of this password. If lost, this password cannot be retrieved.
    Confirm Client SecretReenter the client secret.
    Redirect URISpecify a redirect URI to redirect the client after login or logout. UAA uses the value of Redirect URI for /oauth/authorize and /logout endpoints.

    For UAA to Company SSO OIDC configuration, the Redirect URI is the Url of your Company SSO.

    ScopesScopes are permissions associated with a Client to determine user access to a resource through an application.
    Note:
    • For OIDC configuration, UAA (IdP) clients must have the openid scope.
    • For UAA to Company SSO OIDC configuration, you may want to include the profile scope in addition to the openid scope.
    • For UAA to Google IdP OIDC configuration, you must include email scope in addition to the openid scope
    Allowed ProvidersSelect the OpenID Connect identity provider that you created through the identity provider configuration.
    Note: If an OIDC identity provider is not created prior to the service provider configuration, you may want to return to this task again to select the Allowed Providers after you create an identity provider for your service provider.
  2. Click Save.
  3. Click on the Identity Providers tab, navigate to External Identity Provider section and then click on the New Identity Provider.
    Example:
  4. In the New Identity Provider form, specify the following information :
    Tip: OIDC compliant external IdPs have a “well-known” URL that provides information on Identity Provider fields such as, authorization endpoint, token endpoint etc. For example, you can browse the Google OIDC well-known endpoint link, https://accounts.google.com/.well-known/openid-configuration for information on Identity Provider field values.
    FieldDescription
    Name Specify the name of your IdP.
    Description(Optional) Specify a short description for your IdP.
    Login Link TextSpecify the login text that you want to display for your IdP.
    TypeSelect OIDC as the type.
    Email Domain(Optional) Specify the email domain that UAA can use to identify the identity provider if you have configured more than one identity provider. To support this feature, UAA provides a configuration of IdP discovery. By default, this configuration is set to False.

    You can configure UAA to enable IDP Discovery if you have configured more than one identity provider. For more information, see uaas-managing-identity-providers.html#task_64ea2282-0cac-4bbc-a838-542690b157a3

    ActiveSelect this option to set the IdP as active.
    Username Mapping Specify the username attribute defined in your IdP.

    Username mapping is a required field to map user_name attribute (a unique identifier associated with a user) with a specific user from the IdP.

    Note: You must ensure that the OIDC attribute mapped to the username is unique for each user.

    Although OIDC specification guarantees a unique sub attribute for each user in the ID token, your OIDC provider may choose to provide a more suitable username attribute in a human-readable format.

    Authorization Endpoint UrlSpecify the authorization endpoint for OIDC token.
    Token Endpoint UrlSpecify the token Url for retrieving an OIDC token with an authorization code.
    Token Key Endpoint Url Specify the token key endpoint Url for token verification.
    Token IssuerSpecify the Url of your OIDC provider.
    Relying Party Client IDSpecify the OIDC provider Client id.

    Relying Party Client ID and Client Secret are checks to match the client ID and client secret stored in the authorization server before issuing an authorization token.

    Relying Party Client Secret Specify the OIDC provider client secret.
    Attribute Mapping (Optional) Specify the user attributes and any custom attributes specific to the user.

    Attribute Mapping allows you to propagate user's name attribute along with any other stored user information such as email addresses, first or last names etc., from the identity provider (For example, Company SSO) to the UAA service provider. These attributes along with any other stored user information are shared with applications via the OpenID tokens.

    Automatically create a shadow user on loginSelect this option only if you want to automatically create a local user in UAA to represent the federated users.

    You must manually create the local users when this option is set to a false value. Setting a false value allows an admin to control which users from an IdP can have access. In other words, admin can whitelist certain users to grant access to them.

    Setting this option to a truevalue grants access to any user from the federated IdP.

  5. Click Save.
Example
What To Do Next

uaas-oidc-federated-authentication.html#task_fvv_hmc_qcb

Configuring UAA as an OIDC Identity Provider

About This Task
You can set up your configuration to use one instance of UAA as a service provider (SP) and the other as the identity provider (IdP) from the UAA dashboard. We recommend that you configure your UAA (IdP) instance before configuring the UAA (SP) instance.
Before You Begin
  • Select or create a UAA instance that you want to set up as your IdP.
Procedure
  1. Open your UAA (IdP) instance and add the New User information in the User Management tab.
    Ensure that the following information is entered and saved in the New User form.
    FieldDescription
    Regular UserChoose this option to set up local users in your UAA. The Regular User is not configured through an external Identity Provider (IdP).
    Shadow UserChoose this option to create a local user in UAA corresponding to the user defined in your external IdP. The Shadow User option is useful if you need to whitelist users to authenticate only a subset of users setup in your identity provider.

    To set up individual shadow users, ensure that the option to create shadow users is not selected while configuring a new IdP.

    User NameSpecify the user name. If you are setting up a shadow user, this value must match the user name defined in your IdP.
    EmailSpecify the email address. If you are setting up a shadow user, this value must match the user name defined in your IdP.
    PasswordSpecify the password. An administrator can set password policies to define the permitted structure of the password. For more information, see create-pswd-policies.html#task_gdk_f43_fx.

    This option is not required if you are setting up a shadow user.

    ActiveSelect this option to allow your Regular or Shadow user to login.
    VerifiedSelect this option to indicate that this Regular or Shadow user is a verified user.
    Example:
  2. Click Save.
    The Client Management form represents your Client application, you can use the information in the Client Management form to verify the destination of your Redirect URIs or other client specific information.
  3. Navigate to Client Management tab and click on Create Client information.
    Ensure the following information is added to the Client form
    FieldsDescriptions
    Client IDSpecify a name for the OAuth2 client you are creating.
    Authorized Grant Typesauthorization_code

    When you use the authorization code grant type, the client directs the resource owner to UAA, which in turn directs the resource owner back to the client with the authorization code.

    Client SecretSpecify the password. It is important that you keep a note of this password. If lost, this password cannot be retrieved.
    Confirm Client SecretReenter the client secret.
    Redirect URISpecify a redirect URI to redirect the client after login or logout. UAA uses the value of Redirect URI for /oauth/authorize and /logout endpoints.
    ScopesScopes are permissions associated with a Client to determine user access to a resource through an application. Add the openid and uaa.resource scopes.
    Note: For OIDC configuration, UAA (IdP) clients must have the openid scope.
    Example:
  4. Click Save.
What To Do Next

uaas-managing-identity-providers.html#task_oct_sz2_5w

Verifying UAA to UAA OIDC Configuration

Before You Begin
Ensure you have the following information ready before you perform the verification task:
Procedure
  1. Enter the Redirect URI link for the UAA(IdP) in your browser.
    A UAA login screen displays with the Link Login Text that you entered for your IdP login.
    Example:
    If the Login Link Text (UAA_IDP in the above example) matches the text that you entered in the UAA_SP's Identity Provider Form for the IdP login, it confirms that the OIDC configuration is completed successfully.
  2. Click on the Login Link Text, you are redirected to the IdP login page. You can enter your user credentials (email/username and password) that you created in UAA_IdP.
    On successful login, the Application Authorization window displays. You can choose to Authorize or Deny access to your application.
    Example:

Example: Configuring UAA SP for OIDC Authentication Using Company SSO IdP

About This Task

The following example shows the UAA SP configuration from the dashboard for OIDC federated authentication with your Company SSO.
Note: This example does not include instructions to configure your Company SSO Client information.

Before You Begin

  • Create the Company SSO identity provider information.
  • Create or select a UAA instance that you want to configure as the SP for your Company SSO IdP.

Complete the following procedure to configure Company SSO as the external identity provider.

Procedure

  1. Click on the Identity Providers tab, navigate to External Identity Provider section and then click on the New Identity Provider.
    Example:
  2. In the New Identity Provider form, specify the following information :
    FieldDescription
    Name Specify the name of your IdP.
    Description(Optional) Specify a short description for your IdP.
    Login Link TextSpecify the login text that you want to display for your IdP.
    TypeSelect OIDC as the type.
    Email Domain(Optional) Specify the email domain that UAA can use to identify the identity provider if you have configured more than one identity provider.
    ActiveSelect this option to set the IdP as active.
    Username Mapping Specify the username attribute defined in your IdP.

    Username mapping is a required field to map user_name attribute (a unique identifier associated with a user) with a specific user from the IdP.

    Note: You must ensure that the OIDC attribute mapped to user_name is unique for each user.

    Although OIDC specification guarantees a unique sub attribute for each user in the ID token, your OIDC provider may choose to provide a more suitable username attribute in a human-readable format.

    Authorization Endpoint UrlSpecify the authorization endpoint for OIDC token.
    Token Endpoint UrlSpecify the token Url for OIDC authorization code.
    Token Key Endpoint Url Specify the token Url for retrieving an OIDC token with an authorization code.
    Token IssuerSpecify the Url of your OIDC provider.
    Relying Party Client IDSpecify the OIDC provider Client id.

    Relying Party Client ID and Client Secret are checks to match the client ID and client secret stored in the authorization server before issuing an authorization token.

    Relying Party Client Secret Specify the OIDC provider client secret.
    Attribute Mapping (Optional) Specify the user attributes and any custom attributes specific to the user.

    Attribute Mapping allows you to propagate user's name attribute along with any other stored user information such as email addresses, first or last names etc., from the identity provider (Company SSO) to the service provider (UAA). These attributes along with any other stored user information are shared with applications via the OpenID tokens.

    Automatically create a shadow user on loginSelect this option only if you want to create a local user in UAA corresponding to each user defined in the identity provider that you are configuring.

    You must manually create the local users when this option is set to a false value. Setting a false value allows an admin to control which users from an IdP can have access. In other words, admin can whitelist certain users to grant access to them.

    Setting this option to a truevalue grants access to any user from the federated IdP.

    Example:
    Note: In the following example we have used these Urls:
    • https://fssfed.ge.com/fss/as/authorization.oauth2 as the Authorization End-point Url
    • https://fssfed.ge.com/fss/as/token.oauth2 as the Token End-point Url
    • httsp://fssfed.ge.com/fss/pf/JWKS as the Token Key End point Url.
  3. Click Save.
    The Client Management form represents your Client application, you can use the information in the Client Management form to verify the destination of your Redirect URIs or other client specific information.
  4. Navigate to Client Management tab in the same UAA instance and click on Create Client information.
    Ensure the following information is added to the Create Client form
    FieldsDescriptions
    Client IDSpecify a name for the OAuth2 client you are creating.
    Authorized Grant Typesauthorization_code

    When you use the authorization code grant type, the client directs the resource owner to UAA, which in turn directs the resource owner back to the client with the authorization code.

    Client SecretSpecify the password. It is important that you keep a note of this password. If lost, this password cannot be retrieved.
    Confirm Client SecretReenter the client secret.
    Redirect URISpecify a redirect URI (Url of your Company SSO) to redirect the client after login or logout. UAA uses the value of Redirect URI for /oauth/authorize and /logout endpoints.

    The Redirect URI for this client is the link to the application that the user is trying to use. Once authentication is successful, UAA sends the application user back to the application.

    ScopesScopes are permissions associated with a Client to determine user access to a resource through an application. Add the openid, user_attributes, and profile scopes.
    Note: Depending upon your Company's SSO setup, the scopes may vary for your configuration. Consult with your Company SSO administrator or any related documentation to include the required scopes.
    Allowed ProvidersSelect the OpenID Connect identity provider that you created.

    For this example, we created a provider name,“ SSO_IdP” in Step 2.

    Example:
    Note: In the following example, we have used the Predix.io Url (https://www.predix.io/) as our Redirect URI.
  5. Click Save.

Example: Verifying Company SSO as an OIDC IdP Configuration

Before You Begin

Ensure that you have your UAA service provider instance link handy. Your UAA instance link must be in this format, https://<uaa_zone_id>.<uaa_url>/login.

Procedure

  1. Open a new browser and enter the UAA instance link that you had configured for Company SSO IdP.
    Example: https://9cc6b706-a76f-49d0-9d31-589d81db3792.predix-uaa.run.aws-usw02-pr.ice.predix.io/login

    A UAA dashboard login screen displays with the Link Login Text that you entered for your IdP login.

    Example:
  2. Click on the Login Link Text (“Company SSO” in the above example) link and login.
    You are redirected to your Company SSO login page, where you can enter your SSO credentials and back to UAA before you finally land on the Redirect URI page specified in your UAA (SP) settings.

Example: Configuring UAA to Google IdP OIDC Federated Authentication

About This Task

You must configure the Google IdP Client information before you configure UAA as your Service Provider for OIDC federated authentication with Google IdP.

Follow these steps to set up your Google IdP Client:

Setting Up Google IdP Client Information

Procedure

  1. Create a new project in Google Sign-in for Websites. If you already have a project you can skip this step and select your project.
    Example
  2. Click Next to add the Authorized Redirect URI. For this configuration, the Authorized Redirect URI is your UAA service provider instance Zone ID and UAA Url. You can enter this information in the following format:
    https://<uaa_zone_id>.<uaa_url>/login/callback/*
  3. Download and save the Client ID and Client Secret for your Google IdP client. This is your relying party client ID and secret. You will need this information when you configure UAA as a service provider.
    Example

Configuring UAA as an SP for OIDC Authentication with Google IdP

About This Task

The following example shows how to configure UAA as a service provider for Google identity provider.

Note: Any changes to the external user accounts must be performed on the external identity provider directly.

Before You Begin

  • Configure your Google IdP client information as outlined in the Setting Up Google IdP Client Information section.
  • Download and save the Client ID and Client Secret for your Google IdP client. You will need this information to configure UAA as a service provider.

Procedure

  1. Click on the Identity Providers tab, navigate to External Identity Provider section and then click on the New Identity Provider.
    Example:
  2. In the New Identity Provider form, specify the following information :
    FieldDescription
    Name Specify the name of your IdP.
    Description(Optional) Specify a short description for your IdP.
    Login Link TextSpecify the login text that you want to display for your IdP.
    TypeSelect OIDC as the type.
    Email Domain(Optional) Specify the email domain that UAA can use to identify the identity provider if you have configured more than one identity provider.
    ActiveSelect this option to set the IdP as active.
    Username Mapping Specify the username attribute defined in your IdP.

    Username mapping is a required field to map user_name attribute (a unique identifier associated with a user) with a specific user from the IdP.

    Note: You must ensure that the OIDC attribute mapped to username is unique for each user.

    Although OIDC specification guarantees a unique sub attribute for each user in the ID token, your OIDC provider may choose to provide a more suitable username attribute in a human-readable format.

    Authorization Endpoint UrlSpecify the authorization endpoint for OIDC token.
    Token Endpoint UrlSpecify the token Url for OIDC authorization code.
    Token Key Endpoint Url Specify the token key endpoint Url for token verification.
    Token IssuerSpecify the Url of your OIDC provider.
    Relying Party Client IDSpecify the OIDC provider Client id.

    Relying Party Client ID and Client Secret are checks to match the client ID and client secret stored in the authorization server before issuing an authorization token.

    Use the Client ID that your downloaded and saved in Step 2 of the Setting Up Google IdP Client Information section.

    Relying Party Client Secret Specify the OIDC provider client secret.

    Use the Client Secret that your downloaded and saved in Step 2 of the Setting Up Google IdP Client Information section.

    Attribute Mapping (Optional) Specify the user attributes and any custom attributes specific to the user.

    Attribute Mapping allows you to propagate user's name attribute along with any other stored user information such as email addresses, first or last names etc., from the identity provider (Google) to the service provider (UAA). These attributes along with any other stored user information are shared with applications via the OpenID tokens.

    Automatically create a shadow user on loginSelect this option to create a local user in UAA corresponding to each user defined in the identity provider that you are configuring.
    Example:
    Note: In the following example we have used these Urls:
    • https://accounts.google.com/o/oauth2/v2/auth as the Authorization End-point Url
    • https://www.googleapis.com/oauth2/v4/token as the Token End-point Url
    • https://www.googleapis.com/oauth2/v3/certs as the Token Key End point Url.
    Example:
  3. Click Save.
  4. Login to UAA Dashboard and create or select a UAA instance that you want to configure as your service provider.

    The Client Management form represents your Client application, you can use the information in the Client Management form to verify the Redirect URIs or other client specific information.

    You can use the Client Management form to enter auto-approve scopes for this client. If there are scopes that you want automatically populated (without user consent), you can add these scopes to the Client Management form.

  5. Navigate to Client Management tab in the same UAA instance and click on Create Client information.
    Ensure the following information is added to the Create Client form
    FieldsDescriptions
    Client IDSpecify a name for the OAuth2 client you are creating.
    Authorized Grant Typesauthorization_code

    When you use the authorization code grant type, the client directs the resource owner to UAA, which in turn directs the resource owner back to the client with the authorization code.

    Client SecretSpecify the password. It is important that you keep a note of this password. If lost, this password cannot be retrieved.
    Confirm Client SecretReenter the client secret.
    Redirect URISpecify a redirect URI to redirect the client after login or logout. UAA uses the value of Redirect URI for /oauth/authorize and /logout endpoints.

    For example: https://google.com

    ScopesScopes are permissions associated with a Client to determine user access to a resource through an application.
    Note:
    • For UAA to Google IdP OIDC configuration, you must include email scope in addition to the openid scope
    Allowed ProvidersSelect the OpenID Connect identity provider that you created through the identity provider configuration.

    For this example, we created a provider named,“ Google” in Step 2.

    Example:
  6. Click Save.

What To Do Next

Example: Updating Google IdP for Required Scope

About This Task

You must update the Google IdP to include the required email scope. This feature is not available through the UAA dashboard and you must use the uaac commands through your Terminal or Command Prompt to perform this task.

Follow these steps to update the IdP using the uaac to include the email scope

Procedure

  1. Specify your UAA SP instance Url as the intended target.
    uaac target <uaa_instance_url> 

    For example, uaac target https://uaa-dashboard-uaa.predix-uaa.run.aws-usw02-dev.ice.predix.io.

  2. Login using the administrative client
    uaac token client get admin
  3. Use the uaac curl /identity-providers command to locate your Google IdP. Copy and save the value for your Google identity provider ID.
    When you enter this command, you will see a list of all configured Identity Providers in this zone.
    For example:
    uaac curl /identity-providers  
     { 
      "type": "oidc1.0", 
       "config": "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":\"Google as Idp\", 
         \"externalGroupsWhitelist\":[],\"attributeMappings\":{\"user_name\":\"user_name\",\"phone_number\":\"925-343-4444\",\"given_name\":\"fname\",\"user.attribute.oidcattrkey\":
         \"oidcattrvalue\",\"family_name\":\"lname\",\"email\":\"mail\"},\"addShadowUserOnLogin\":false,\"storeCustomAttributes\":true,   
        \"authUrl\":\"https://test-oidc.predix-uaa.run.aws-usw02-dev.ice.predix.io/login/oauth/authorize\",\"tokenUrl\":\"https://test-oidc.predix-uaa.run.aws-usw02-dev.ice.predix.io/login/oauth/token\",
         \"tokenKeyUrl\":\"https://test-oidc.predix-uaa.run.aws-usw02-dev.ice.predix.io/login/oauth/token_key\",\"tokenKey\":null,\"linkText\":\"Google\",\"showLinkText\":true,
        \"clientAuthInBody\":false,\"skipSslValidation\":true,\"relyingPartyId\":\"oidcGClient\",\"scopes\":[\"openid\",\"profile\"],\"issuer\":\"https://test-oidc.predix-uaa.run.aws-usw02-dev.ice.predix.io/login/oauth/token\",    
        \"responseType\":\"code\",\"userInfoUrl\":null,\"discoveryUrl\":null}", "id": "9832a29d-f79e-4a48-8814-4ab12319ce59", "originKey": "abcd", "name": "abcd", "version": 0, "created": 1517445351932,
     "last_modified": 1517445351932, "active": true, "identityZoneId": "bb0cf71b-148b-445b-bea2-b34501e5526b" }, 
    { 
       "type": "oidc1.0", 
        "config": "{\"emailDomain\":null,\"additionalConfiguration\":null,  
         \"providerDescription\":\"Google as IdP\",\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"user_name\":\"user_name\",
          \"user.attribute.oidcattrkey-2\":\"oidcattrvalue-2\",\"given_name\":\"fname\",\"family_name\":\"lname\",\"email\":\"mail\"},\"addShadowUserOnLogin\":false,\"storeCustomAttributes\":true,
         \"authUrl\":\"https://uaa.system.aws-usw02-dev.ice.predix.io/login/oauth/authorize\",\"tokenUrl\":\"https://uaa.system.aws-usw02-dev.ice.predix.io/login/oauth/token\",  
         \"tokenKeyUrl\":\"https://uaa.system.aws-usw02-dev.ice.predix.io/login/oauth/token_key\",\"tokenKey\":null,\"linkText\":\"Google\",\"showLinkText\":true,\"clientAuthInBody\":false,  
         \"skipSslValidation\":true,\"relyingPartyId\":\"oidcGClient\",\"scopes\":[\"openid\",\"profile\"],\"issuer\":\"https://uaa.system.aws-usw02-dev.ice.predix.io/login/oauth/token\",
        \"responseType\":\"code\",\"userInfoUrl\":null,\"discoveryUrl\":null}", "id": "e9821af2-fc07-41e2-8025-1c99977d7919", "originKey": "oidc-google-idp1516910034792", "name": "oidc-google-idp1516910034792",
        "version": 2, "created": 1516910093721, "last_modified": 1516910143500, "active": false, "identityZoneId": "bb0cf71b-148b-445b-bea2-b34501e5526b" 
    
    }
    

    In the example above, we located the Google IdP named oidc-google-idp1516910034792 and the ID value for this IdP, e9821af2-fc07-41e2-8025-1c99977d7919. We must save this ID value for retrieving information specific to the Google identity provider.

  4. Retrieve the information specific to your Google IdP configuration using the uaac curl /identity-providers/{id} command and add it in JSON form.
    For example:
    uaac curl /identity-providers/e9821af2-fc07-41e2-8025-1c99977d7919
    
    uaac curl /identity-providers/e9821af2-fc07-41e2-8025-1c99977d7919 -X PUT -H "Content-Type:application/json" -d 
    ' {
        "type": "oidc1.0",
        "config": "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":\"Google as IdP\",
                  \"externalGroupsWhitelist\":[],\"attributeMappings\":{\"user_name\":\"user_name\",\"phone_number\":\"925-343-4444\", 
                   \"user.attribute.oidcattrkey-2\":\"oidcattrvalue-2\",\"given_name\":\"fname\",\"family_name\":\"lname\",\"email\":\"mail\"},
                   \"addShadowUserOnLogin\":false,\"storeCustomAttributes\":true,\"authUrl\":\"https://accounts.google.com/o/oauth2/v2/auth",
                    \"tokenUrl\":\"https://www.googleapis.com/oauth2/v4/token",\"tokenKeyUrl\":\"https://www.googleapis.com/oauth2/v3/certs",
                    \"tokenKey\":null,\"linkText\":\"Google\",\"showLinkText\":true,\"clientAuthInBody\":false,\"skipSslValidation\":true,\"relyingPartyId\":\"oidcGClient\",
                     \"scopes\":[\"openid\",\"profile\",\"email\"],\"issuer\":\"https://uaa.system.aws-usw02-dev.ice.predix.io/login/oauth/token\",\"responseType\":\"code\",
                      \"userInfoUrl\":null,\"discoveryUrl\":null}",
        "id": "e9821af2-fc07-41e2-8025-1c99977d7919",
        "originKey": "oidc-Google-idp1516910034792",
        "name": "oidc-Google-idp1516910034792",
        "version": 2,
        "created": 1516910093721,
        "last_modified": 1516910143500,
        "active": false,
        "identityZoneId": "bb0cf71b-148b-445b-bea2-b34501e5526b"
      }'
    
  5. Update your IdP configuration to include email in scope.
    1. Open a separate text editor window and enter the following:
      uaac curl /identity-providers/{id} -X PUT -H "Content-Type:application/json" -d '<JSON received from last step>'
    2. Paste the Google IdP configuration information that you copied from Step 4 inside the '<JSON received from step 4>' quotes.
    3. Manually, add the email scope in the JSON :
      \"scopes\":[\"openid\",\"profile\",\"email\"] 
  6. Copy the code from the text editor and paste into your Terminal and press the Enter key.
    For example:
    uaac curl /identity-providers/ed729b3e-8fc8-4c09-aa03-c43e8957d0cf -X PUT -H "Content-Type:application/Json" -d '
    { 
     "type": "oidc1.0",  
      "config": "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":\"Google as IdP\",\"externalGroupsWhitelist\":[],
      \"attributeMappings\":{\"user_name\":\"user_name\",\"user.attribute.oidcattrkey-2\":\"oidcattrvalue-2\",\"given_name\":\"fname\",\"family_name\":\"lname\",\"email\":\"mail\"},
       \"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"authUrl\":\"https://accounts.google.com/o/oauth2/v2/auth",
        \"tokenUrl\":\"https://www.googleapis.com/oauth2/v4/token",\"tokenKeyUrl\":\"https://uaa.system.aws-usw02-dev.ice.predix.io/login/oauth/token_key\",
        \"tokenKey\":null,\"linkText\":\"Google\",\"showLinkText\":true,\"clientAuthInBody\":false,\"skipSslValidation\":true,\"relyingPartyId\":\"149363998617-r84f3n1bp71hbjafklrfko2e15bgef74.apps.googleusercontent.com\",\"scopes\":[\"openid\",
        \"profile\",\"email\"],\"issuer\":\"https://uaa.system.aws-usw02-dev.ice.predix.io/login/oauth/token\",\"responseType\":\"code\",\"userInfoUrl\":null,\"discoveryUrl\":null}", 
        
          "id": "e9821af2-fc07-41e2-8025-1c99977d7919",
          "originKey": "google", 
          "name": "Google", 
          "version": 2, 
          "created": 1516910093721,
          "last_modified": 1516910143500, 
          "active": true, 
          "identityZoneId": "bb0cf71b-148b-445b-bea2-b34501e5526b" 
    }'
    A 200 response and shows that the email scope is added to the Google identity provider configuration.

What To Do Next

uaas-oidc-federated-authentication.html#task_lbd_qqm_ycb

Example : Verifying the Google IdP Configuration

Procedure

  1. Open a new browser to make an authorization call using the following format: http://<UAA_ZONE>.<UAA_URL>/oauth/authorize?response_type=code&client_id=<CLIENT_ID>
    Example: https://bfbef8d1-5624-4c2a-857b-4867900c96b6.predix-uaa.run.aws-usw02-pr.ice.predix.io/oauth/authorize?response_type=code&client_id=OIDC_G
  2. You will be redirected to your Google account page. If you are not logged into your Google account. You will need to enter your google account credentials (email and password).
    Example
  3. On successful login, the Application Authorization window displays. You can choose to Authorize or Deny access to your application.
    Example
  4. Click on Authorize to access your application.